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Introduction 

The  ability  to  produce,  without  too  aucb  difficulty,  machines  which 
oaa  bo  mlcroooded  baa  given  us  now  poaslbilities.  First,  ws  can  design 
an  architecture  and  realise  it  on  several  hardware  configurations.  Flex 
la  such  an  architecture  and  it  has  been  inplen anted  on  three  different 
aaohlnes  since  1978,  with  another  laplwentation  envisaged  (1).  Second, 
we  have  been  able  to  design  a  storage  allocation  sobene,  extending  to 
both  the  Bain  BSBory  and  the  backing  store,  in  which  aooeas  la  totally 
controlled  and  obeoked  by  the  microcode.  Within  this  we  have  been  able 
to  inolude  an  efficient  treataent  of  procedures  aa  true  values  (2), 
unlimited  by  the  restrictions  of  staok  based  architectures.  This  has 
resulted  in  a  substantial  lnorease  in  flexibility  and  in  the  uniformity 
and  sophistication  of  the  oootrol  which  can  be  achieved. 

The  Flex  architecture  is  intended  to  provide  interactive  computing 
for  several  users.  By  supporting  the  use  of  procedures  as  true  values, 
aided  by  capabilities  implemented  with  a  tagged  memory  (rather  than  by 
segregation)  and  extended  through  the  booking  store,  it  provides  a 
particularly  safe  noohine.  The  instruction  code  was  designed  aa  a 
target  for  high  level  language  ocmpllers,  particularly  in  respect  of  the 
methods  of  addressing  and  the  foot  that  memory  allocation  and  g 
collection  is  alorooodod.  Support  for  indefinitely  many  process , 


structured  values  on  backing  store  and  the  use  of  procedure  values  are 
significant  for  operating  systems.  This  paper  describes  the 
architecture  and  then  indicates  how  capabilities  and  procedure  values 
can  be  combined  to  give  security  and  to  help  in  the  writing  of  operating 
systems. 

Since  Flex  is  for  interactive  use,  the  main  processor  needs  to 
respond  in  times  comparable  with  human  reactions.  By  placing  the 
control  of  peripherals  in  special  peripheral  processors  we  remove  from 
the  main  processor  any  need  to  respond  in  micro- seconds  rather  than 
tenths  of  a  second.  Hence  a  fast  mioroooded  garbage  collector  (which 
works  in  linear  time)  can  be  employed,  without  being  detectable  by  any 
degradation  of  performance.  On  the  average  about  3%  of  the  time  is 
taken  up  by  garbage  oolleotion. 

Versions  of  Flex  have  been  in  use  for  more  than  three  years,  and  a 
considerable  amount  of  software  exists. 

Memory  allocation 

Data  (including  code)  in  Flex  is  measured  in  words,  bytes  or  bits 
and  is  contained  in  blocks  (called  objeots  in  seme  systems).  The 
programmer  does  not  see  s  linear  store,  but  an  indefinite  number  of 
separate  blocks  eaoh  of  size  between  sero  and  the  full  oapaclty  of  the 
machine,  whioh  he  handles  by  means  of  pointers  which  oocupy  one  word. 
Having  a  pointer  to  a  block  enables  one  to  use  only  that  block  and  to 
use  it  only  in  a  permitted  way.  The  miorooode  organises  the  allocation 
and  distibution  of  these  blocks  within  the  real  memory.  Eaoh  word  of 


the  real  memory  has  some  tag  bits  whioh  are  used  to  distinguish  the 
words  whioh  are  pointers  from  other  words  and  from  bits  and  bytes.  The 


tag  bits  cannot  bs  altered  by  the  programmer  and  are  used  by  the 
aiorooode  to  check  the  appropriateness  of  the  operations  on  the  word. 

Each  block  has  a  type  which  oontrols  what  are  the  legal  operations 
on  it.  There  are  six  types  of  which  the  Bain  ones  are 

1)  normal  data,  whioh  can  be  read  and  if  the  pointer  peraita  can  be 
altered, 

2)  procedures,  which  oan  only  be  obeyed  (with  parameters), 

3)  code,  which  contains  the  instructions  which  are  part  of  the 
definition  of  a  procedure, 

4)  workspaces,  whioh  are  used  for  the  obeying  of  procedures. 

Every  instruction  obecks  that  its  operands  are  legal.  For  example, 
an  integer  oannot  be  added  to  a  pointer,  nor  oan  access  relative  to  a 
pointer  be  used  to  read  or  write  outside  its  block.  A  procedure  oan  be 
obeyed  but  neither  read  nor  written  and  staok  operations  oannot  overflow 
the  block  which  contains  the  staok. 

Pointers  are  only  oreated  by  the  aiorooode  and  oannot  in  any  way  be 
forged.  Bence,  although  all  the  users  are  running  together  in  the  same 
memory,  each  user  oan  only  aooess  the  blocks  whioh  his  current  set  of 
pointers  gives  him,  and  only  in  the  ways  appropriate  to  eaob  block. 
Separate  or  ooamon  use  of  data,  or  use  supervised  by  means  of  procedures 
oan  be  flexibly  provided  and  safely  controlled.  A  pointer  to  a  block  of 
aero  slse  gives  a  way  of  oreating  an  unforgeable  piece  of  data  which  oan 
be  used  as  a  key. 

In  order  to  represent  a  reference,  that  is  data  whioh  is  Itself  the 
address  of  other  data,  two  words  are  needed  -  the  pointer  whioh  says 
whioh  block  is  to  be  used  and  an  offset  which  says  where  in  the  block 
the  data  starts.  In  order  to  represent  a  reference  to  a  vector  of  data 
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words  oro  noodod  -  t—  polo tor  to  t—  block,  t—  off— t  of  t— 
of  t—  v oo tor  and  fc—  nueber  of  ltw  in  it.  Tbs  instruction  oodo 
about  rofsronoos  sad  v— tors  sad  ail  operatic—  oo  than  art  of 
obookod  for  validity,  lbs  itsa  to  —lob  tbs  rsfsrsaos  points  sad 
tbs  ite—  which  ars  tbs  ocapoosats  of  tbs  factor  can  bs  of  say  alas  in 
words,  bytss  or  bits. 

Tbs  a  tors  is  garbacs  ooUsctsd  by  tbo  alcrooods  us  lac  a  fast 
ocapsotiag  astbod  which  is  1 laser  la  all  its  par— stars.  Psesass  of 
tbs  spssd  of  tbs  algorlt—  sad  tbs  foot  that  it  is  obeyed  la  alcrooods 
tsrbscs  oollsotloa  is  a  —all  ovsrboad  —  tbs  operation  of  tbs  —obi—. 

Tbs  becking  stores  ars  organised  as  similar,  separate  addressing 
schemes  with  blocks  of  similar  types  oontslng  pointer  or  aoa-poiater 
data  sad  with  aooesa  o— trolled  la  tbs  as—  way.  —sever,  al though  tbs 
asia  asaory  oaa  oca taia  pointers  into  a  banking  store  it  is  aot  possible 
to  point  from  booking  store  late  asia  a— ory  or  firm  o—  booking  store 
to  aootbsr.  There  is  oomplsto  freed—  to  have  arbitrarily  ocaples 
structures  —  tbs  becking  store.  Ha  have  shoo—  la  preotlse  to  have 
only  o—  alterable  blook  —  becking  store  la  order  to  safer—  a  regl— 
wblob  is  very  sofa  against  booking  store  fbilur— . 

Tbs  storage  sc— as  serves  a  purpose  a  taller  to  — al  capabilities, 
but  tagging  t—  pointers  Inst sod  of  segregating  t— a  in  separata  blooks 
aakss  it  a— b  easier  to  write  oca pliers,  sia—  all  t—  data  oea  — 
baodlsd  uolfcraly  and  t—  parts  of  w— t  are  logically  t—  am—  structure 
o—  —  kept  together.  41—,  —  will  appear,  by  depending  heavily  — 
procedures  —  obtain  a  very  flex  ibis  protection  sob— s. 
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tlM  declaration) .  la  order  to  do  this  is  Pits  uo  oot  up,  it  the 
V  evaluation  of  the  doe  loro  t  too,  o  Bopocolo  block  oooUiaias  i  sod  all 
**•  ether  ilOM  used  Is  f  dot  declared  outside  it  (isoludisc  references) 
end  ue  hind  title  blood  uttb  tbs  code  and  the  oooatants  to  foro  the 
I  procedure.  this  fives  us  uhat  is  nnuannly  eslled  sUtie  bind  tag. 

Bpsshio  bisdisf  ess  be  provided  but  is  generally  undes treble,  k  pointer 
to  this  blocs  sou  represents  the  procedure,  uhioh  con  only  be  executed 
1  end  eesnot  so  deoonposed. 
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i  prooeeore  util  protest  the  eoQooele  free  the  garbage  ool lector,  but 
util  not  enable  the  user  to  seosas  the  oo*_looals  oxoept  la  so  far  as 
ue  pro tenure  operates  os  then.  If  the  declaration  uas  la  a  loop  or  s 
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Figure  6 


The  procedures  k  end  1  Here  Just  one  noo-local  whlob  is  e  referenoe 
(pointer  end  offset). 

3uob  procedure  values  bsve  bees  kaoun  for  a  long  tine  (2)  but  have 
not  been  widely  used  beosuee  lap!  snooting  tben  has  involved  heavy 
overheads,  tut  flea  with  its  low  overhead  garbage  collector  oan  afford 
to  use  the*  freely. 

Psoauee  they  have  not  been  widely  used  sons  of  their  laportenoe  has 
seospsd  notice,  e spool ally  in  tbs  area  of  controlling  aooeas  to  data  and 
their  relation  with  oepabllltles.  Indeed  their  oeeessity  if  ospabllltles 
are  to  achieve  their  fail  potential.  Xa  the  rest  of  this  paper  we 
sons  entrain  oa  deaonatrstiag  their  uses  la  this  area  and  la  the  writing 
of  opera tlag  systens. 


Staple  polio lee  for  eoatrolllag  the  aoeees  and  use  of  data  are  not 
adogaate.  Orest  lag  pemiasioe  for  oneh  lonlevel  operations  as  reeding 
and  urlUag  on  the  had  a  of  the  identity  of  the  ueer  does  not  provide  a 
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satisfactory  Mans  of  oontrol.  In  general  we  need  to  carry  out  an 
arbitrary  oheoking  action  when  aooess  to  data  is  mooted,  that  action 
depending  on  the  particular  data  among  other  information.  The  use  of 
procedure  values  is  precisely  what  gives  us  that  ability.  If  we  make 
the  actual  data  be  a  non-local  of  a  procedure  and  give  that  procedure  to 
a  user,  he  will  only  be  able  to  see  the  data  or  change  it  by  calling  the 
procedure,  at  whioh  moment  the  body  of  the  procedure  can  carry  out 
checks,  record  footprints  or  whatever  is  required.  Since  the  procedure 
is  impenetrable  we  can  be  sure  that  this  is  all  that  he  can  do.  Because 
true  procedure  values  can  be  oreated  we  can  set  things  up  so  that  only 
the  procedure  has  access  to  the  data,  and  no-one  else  including  the 
operating  system.  Thus  we  oan  aooomodate  various  policies  and  implement 
unforseen  requirements  for  oontrol. 

The  operating  system  is  no  different  from  any  user  in  respect  of 
the  mechanisms  available  to  afford  it  protection.  It  has  pointers  which 
give  it  aooess  to  oertain  blocks  which  it  makes  available  to  the  users 
only  through  procedures.  Indeed  the  interface  between  the  operating 
system  and  a  user  is  precisely  through  a  set  of  such  procedures.  A  user 
in  his  turn  oan  aot  as  an  operating  system  to  a  aub_user  or  pass 
procedures  to  a  parallel  user  and  has  just  as  much  sophistication 
available  to  him  by  way  of  oontrol  as  has  the  operating  system. 

Let  us  oonslder  an  example,  a  pair  of  procedures  which  share  a 


reference  to  whioh  no  one  else  has  aooess.  One  procedure  writes  into  the 
reference,  the  other  reads  from  it. 


Tbia  could  be  aet  up  by  a  procedure  to  generate  auch  palra  of 
procedurea. 

proc  makechannel  =  atruct(proc( lnt)void  in,  proc  lnt  out): 
begin  ref  int  i  *  int; 

(  (int  J)vold:  begin  i  :»  J  end, 
int:  begin  i  end  ) 
end 

Any  number  of  calla  of  makechannel  can  be  made,  each  of  which  will 
aet  up  a  new  pair  of  procedurea  with  a  new  common  reference  and  no  one 
elae  will  have  any  acceaa  to  any  of  the  referencea.  Clearly  the 
parametera  and  bodiea  of  the  procedurea  could  be  complex  and  contain  any 
checka  or  operationa  on  the  data.  No  interaction  with  the  operating 
ayatem  ia  needed  to  aet  up  the  acheme.  A  scheme  in  which  the  referencea 
were  generated  by  a  program  which  might  still  have  access  to  them  would 
be  undesirable. 

Another  typical  use  of  procedure  values  la  shown  in  the  way  in 


which  the  operating  system  gives  a  user  procedures  to  manipulate  the 
display  on  hla  vdu.  The  basic  code  for  displaying  is  bound  together 
with  the  pointers  owned  by  the  operating  system  whioh  identify  the  vdu 


to  fora  a  procedure  which  will  only  affect  the  particular  vdu  in 
question.  This  procedure  is  then  given  to  the  user.  A  similar 
technique  can  be  used  for  output  froa  files,  where  the  data  is  bound 
with  code  to  fora  a  procedure  which,  each  tine  it  is  called,  gives  the 
next  line  of  the  file.  This  is  used  not  only  to  provide  control,  but 
also  so  that  prograas  which  use  the  lines  do  not  need  to  know  how  the 
file  is  represented,  but  only  need  the  specification  of  the  procedure. 

Backing  store  procedures  can  be  created  which  have  a  similar  nature 
to  those  in  aeaory.  Once  again  they  consist  of  code  and  constants  (on 
the  backing  store)  which  can  be  bound  to  a  set  of  non-locals  (on  the 
backing  store)  to  fora  a  backing  store  procedure.  The  only  operation 
available  on  this  is  to  bring  it  into  aeaory  and  convert  it  into  a 
normal  procedure.  This  facility  can  be  used  for  many  purposes.  For 
exsaple,  the  operating  systea  creates  dictionaries  which  consist  of  a 
nuaber  of  procedures,  including  one  to  look  up  an  identifier  and  find 
the  correaponding  value  and  one  to  insert  a  pair  consisting  of  an 
Identifier  and  a  value.  These  have  bound  into  thea  the  backing  store 
data  structures  which  actually  represent  the  information  in  the 
dictionary  but  this  is  totally  inaccessible  except  through  the 
procedures.  Thus  the  integrity  of  the  data  can  be  assured.  The  user  is 
given  the  procedures  and  can  only  do  his  aanipulations  through  then.  If 
he  wishes  he  can  create  in  terns  of  these  procedures  others,  either  in 
aeaory  or  on  backing  store,  which  offer  a  subset  of  the  facilities, 
oheck  aooesses  or  whatever  he  requires  and  pass  these  to  other  users  or 
to  his  subjusers.  Furthermore  this  again  helps  to  preserve  a  constant 
interface,  since  it  is  the  specification  of  the  procedures  which  has  to 


be  kept  constant  rather  than  the  aetual  data  structure  representing  the 
dictionaries. 


In  fact  only  a  small  kernel  of  procedures  is  supplied  initially  and 
operating  systeas  are  built  up  on  top  of  these  without  needing  any 
special  facilities  to  do  so. 
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